The present invention relates generally to a system security design/evaluation support tool, a system security design/evaluation support method, and a system security design/evaluation support program, and, more particularly, to a technique deriving a proper assurance level of components (products or newly developed parts) making up an information system from the viewpoint of security assurance in particular, of techniques supporting the system security design and evaluation in the system design and evaluation phases, and further to a technique deriving products of proper assurance levels while satisfying function requisites and suppressing costs in a stage of designing an information system.
In these years, IT products having various functions for the purpose of security measures are being provided in plurality by vendors. Among those IT products, increasing in number year by year are products whose security levels have been evaluated and certified according to the international security evaluation criteria ISO/IEC 15408 (CC: Common Criteria) that is criteria on security function design/evaluation.
The security evaluation in this ISO15408 refers to verifying whether a security function meeting a security objective defined for a subject of evaluation (a product or a system) is provided and whether the security function is securely implemented. ISO15408 defines seven stages of EALs (Evaluation Assurance Levels), hereinafter referred to simply as “assurance levels”, indicative of the range, depth, and strictness of this verification. To acquire a higher assurance level of certification, a strict inspection needs to be performed to a greater depth over a wider range, resulting in increase in time and costs required for the security evaluation.
Here, ISO15408 does not definitely define the method of setting the assurance levels, and hence there may arise cases, e.g., where in case of products the setting is made referring to its industry standard level or where the setting is made by the developer itself in consideration of the use/range of use of the product.
Meanwhile, as to systems, they are composed of constituent elements (hereinafter, referred to as components) such as combinations of existing IT products, and newly developed parts. The components, i.e., IT products and newly developed parts have various assurance levels, and may include IT products that have not been evaluated and certified. To design and evaluate a system, it is preferable to confirm that the products having proper assurance levels are introduced therein and that the newly developed parts have been verified at proper assurance levels, as well as to configure the system by combining components having security functions that counter expected threats to the system.
In the reference 1, Department of Trade and Industry, “INFORMATION SECURITY ASSURANCE GUIDELINES FOR THE COMMERCIAL SECTOR”, November, 2000, Internet URL:HTTP://WWW.DTI.GOV.UK/INDUSTRY_FILES/PDF/CAG1.PDF, it is proposed, as an example of the method of setting IT product or system assurance levels, a conventional technique ranking into, e.g., high, medium, and low, each of the magnitude of vulnerability of a subject of evaluation, the reliability of a user using the subject of evaluation, and the influence that an organization managing the subject of evaluation suffers under a threat, and obtaining the magnitude of a risk from the rank to thereby easily set the assurance level conforming to the magnitude of the risk obtained. Also, as to assurance levels of the components forming a system, the idea has been presented that a higher assurance level be required of components having a factor to raise the risk of a threat (a subject of protection being high in asset value and the occurrence possibility of a threat being great, etc.). Refer to the reference 2, “ISO/IEC TR 15446 (Guide for the Production of PPs and STs), Version 0.93 2002-10-20 (Working Draft N3374)”, October, 2002, Internet URL:HTTP://WWW.IPA.GO.JP/SECURITY/JISEC/DOCUMENTS/27N3374PP STGUIDE_V093.PDF.
Moreover, in performing security designing-installation of a system, it is generally more reasonable to select, from these IT products, IT products of appropriate assurance levels or a combination of plural IT products that have an appropriate security function matching the objective of the system of interest with suppressing cost than to newly develop all functions from scratch.
For the security designing-installation of a system, a method of selecting an optimum combination of IT products in terms of security function and cost has been proposed as an example method of selecting/combining. IT products suitable for the system. Refer to the reference 3, Y. Nagai, et al., “Proposal of Basic Method of Designing Security of Information System Taking into Account Functional Adaptability”, JOURNAL OF INFORMATION PROCESSING SOCIETY OF JAPAN, Vol. 45, No. 4, April 2004, pp. 1163-1175. This method is a method which, after setting the degrees of importance of security function requisites (or a security measure target) to be satisfied by the system and the degrees of satisfaction of IT products and the degrees of association between the security function requisites required of the system and functions of the IT products, derives, using a fuzzy synthesis operation, such a combination of IT products from various choices of IT products as to maximize the degree of functional adaptability to requisites to be satisfied by the system under constraints that costs (expense for introduction, setting, management, etc., of IT products and time for introduction-setting, and the like) should fall within permissible ranges.
Furthermore, a method of deciding an optimum configuration to achieve low cost and high reliability from system configuration candidates taking into account both system reliability and equipment cost has been proposed as an example method of deciding configuration candidates for a system. (Refer to the reference 4, Japanese Patent Application Laid-Open Publication No. 2002-34151.)